From 78e1b70e35b45455728e4126ed1b19d6332ad26b Mon Sep 17 00:00:00 2001
From: rajatsharma94 <rajat.shrma94@gmail.com>
Date: Mon, 20 Jul 2015 22:49:56 +0530
Subject: Failed security check

The implemented security check to make sure the path is NOT a URL can easily be bypassed (gives false negative) for all subdomains.
Eg "subdomain.domain.com" should ideally show an error but it does not.

The new security check tries to make a fsockopen connection to validate whether the URL is external or not.
---
 system/helpers/path_helper.php | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'system/helpers/path_helper.php')

diff --git a/system/helpers/path_helper.php b/system/helpers/path_helper.php
index 34eebc4b0..019e220f3 100644
--- a/system/helpers/path_helper.php
+++ b/system/helpers/path_helper.php
@@ -61,8 +61,7 @@ if ( ! function_exists('set_realpath'))
 	function set_realpath($path, $check_existance = FALSE)
 	{
 		// Security check to make sure the path is NOT a URL. No remote file inclusion!
-		// PROBLEM HERE - this can be easily bypassed in case of subdomains
-		if (preg_match('#^(http:\/\/|https:\/\/|www\.|ftp|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})#i', $path))
+		if (preg_match('#^(http:\/\/|https:\/\/|www\.|ftp|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})#i', $path) || ( function_exists('fsockopen') &&  @fsockopen($path, 80, $errno, $errstr, 30)))
 		{
 			show_error('The path you submitted must be a local server path, not a URL');
 		}
-- 
cgit v1.2.3-24-g4f1b